RE: [Full-Disclosure] RE: Windows XP explorer.exe heap overflow.

I have modified this WMF and the explorer process take 100% of the cpu

Using WinXP all patch applied

-H

-----Original Message-----
From: Otero, Hernan (EDS) [mailto:HOtero@lanchile.cl]
Sent: Martes, 24 de Febrero de 2004 12:13
To: Michael Wojcik; bugtraq@securityfocus.com
Cc: Chris Calabrese; sunglasses@bay-watch.com;
full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] RE: Windows XP explorer.exe heap overflow.

Looking at the source... everyone knows where and how..., this piece of code
could be part of the problem...

// read in the header
    if (!Read(&emh, sizeof(emh))) //<--- This will fill up all header
records
       return;

    _xWid = emh.rclBounds.right - emh.rclBounds.left;
    _yHei = emh.rclBounds.bottom - emh.rclBounds.top;
    
    // Post WHKNOWN
    OnSize(_xWid, _yHei, _lTrans);

    // allocate a buffer to hold metafile
    ulSize = emh.nBytes; //<---- This value could be any
arbitrary value
    pbBuf = (LPBYTE)MemAlloc(Mt(CImgTaskEmfBuf), ulSize); //<-- Memory
//allocation size is referenced to that arbitrary value.
    if (!pbBuf)
        return;

    // copy the header into the buffer
    memcpy(pbBuf, &emh, sizeof(emh)); <--// Arbitrary buf size receiving
an //arbitrary size
header

    // read the metafile into memory after the header
    if (!Read(pbBuf + sizeof(emh), ulSize - sizeof(emh)))
        goto Cleanup;

Just supposed things...

-H

-----Original Message-----
From: Michael Wojcik [mailto:Michael.Wojcik@microfocus.com]
Sent: Lunes, 23 de Febrero de 2004 18:37
To: bugtraq@securityfocus.com
Cc: Chris Calabrese; sunglasses@bay-watch.com
Subject: RE: Windows XP explorer.exe heap overflow.

Yep. I suggested that on Vuln-Dev nearly four years ago [1], but I never
pursued it, and this is the first time since then that I've seen it come up.

In Outlook 2002 (aka Outlook XP, aka Outlook 10) and later, you can disable
the automatic display of any kind of non-text content by forcing Outlook to
render all email as plain text. This is a huge improvement over normal
Outlook behavior; besides making Outlook much less dangerous, it spares you
annoying markup of all kinds.

Create the Registry key

HKCU\Software\Microsoft\Office\10.0\Outlook\Options\Mail\READASPLAIN

as a DWORD and set it to 1. Presto - no more HTML, no more RTF, no more
pictures.

1. http://www.securityfocus.com/archive/82/50050

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus
> -----Original Message-----
> From: Chris Calabrese [mailto:chris_calabrese@yahoo.com] 
> Sent: Monday, February 23, 2004 4:31 PM
> To: sunglasses@bay-watch.com; bugtraq@securityfocus.com
> Subject: Re: Windows XP explorer.exe heap overflow.
> 
> 
> This could actually be much worse since it looks like 
> Internet Explorer
> and Outlook will happily display WMF files with no questions asked.
> 
> Has anyone crafted a test WMF file we can use to check whether this
> could be exploited via an email worm through Outlook?
> 
> On 2/20/2004 1:45 PM, sunglasses@bay-watch.com wrote:
> >
> >Vulnerability in XP explorer.exe image loading
> >
> >----------------------------------------------
> >
> >
> >
> >Systems affected: 
> >
> >  Current XP - others not tested.
> >
> >
> >
> >Degree: 
> >
> >  Arbitrary code execution.
> >
> >
> >
> >Summary
> >
> >-------
> >
> >A malformed .emf (Enhanced Metafile, a graphics format) file 
> can cause
> an exploitable heap overflow in (or near) shimgvw.dll.
> >
> >
> >
> >Details
> >
> >-------
> >
> >The image preview code that explorer uses has an exploitable buffer
> overflow.
> >
> >
> >
> >An .emf file with a "total size" field set to less than the header
> size will causes explorer.exe to crash in the heap routines - in
> classic heap overflow style that should be exploitable a la the RPC
> exploits.
> >
> >
> >
> >There are two overflows here:
> >
> >
> >
> >1. A buffer is allocated with the size indicated in the header (no
> validity checks), then the header is copied into it - if the size is
> less than the header size, that's one overflow.
> >
> >
> >
> >2. They then proceed to read the rest of the file to a length of
> (size-headersize), which allows for an integer overflow causing the
> rest of the file to be appended to the already blown buffer.
> >
> >
> >
> >Exploit
> >
> >-------
> >
> >To exploit this flaw (in explorer), simply place a malformed (invalid
> "size" field) .emf file 
> >
> >in any directory, open explorer to that path, and view as Thumbnails.
> Bang. In it's simplest 
> >
> >form it's a DOS - it affects all explorer windows, including 
> File Open
> dialogs for many programs.
> >
> >
> >
> >Alternatively, without viewing as a Thumbnail, open the picture
> preview window for the .emf file. (It's the default double-click
> action). Using this trigger causes a different crash point, which may
> not be exploitable, but I wouldn't rule it out.
> >
> >
> >
> >Additional notes
> >
> >----------------
> >
> >It may be worth checking out similar issues in .wmf files, 
> as they are
> similar.
> >
> >
> >
> >
> >
> >- Jellytop, 2004 
> >
> >
> >
> >"If a man will begin with certainties, he shall end in doubts; but if
> he will be content to 
> >
> >begin with doubts he shall end in certainties."
> >
> 
> 
> __________________________________
> Do you Yahoo!?
> Yahoo! Mail SpamGuard - Read only the mail you want.
> http://antispam.yahoo.com/tools
> 
> ______________________________________________________________
> __________
> This e-mail has been scanned for viruses by MCI's Internet 
> Managed Scanning Services - powered by MessageLabs. For 
> further information visit http://www.mci.com
> ______________________________________________________________
> __________
> 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html